blackmoon | 1989d2f3db46b9c5c949f4b8498cda2a2fde7b08e4c5d1267950debe82daa2fc

General

Target

5ac529b84bed8f7e3428245e47a78667.exe
Size

277KB
MD5

5ac529b84bed8f7e3428245e47a78667
SHA1

3da3922f429143ccb6d0c3224e3d189c9bb31fa6
SHA256

1989d2f3db46b9c5c949f4b8498cda2a2fde7b08e4c5d1267950debe82daa2fc
SHA512

1093d5ddb6c4834b0b8389dc9fa648aad37ab9b170c908e6b9bb37354e1b3906db0b8485a44ab3b0a545bbe2868bfe6229488830b9c925c26f3a78bd83166962
SSDEEP

6144:sbFMvcdKa1rEgjpI+tK9/DYag1dNqaFm:sbFMEdKa1Jjl89/DYayT

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 12 IoCs

resource	yara_rule
behavioral2/memory/2656-136-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral2/memory/2656-135-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral2/memory/2656-138-0x0000000000400000-0x0000000000454000-memory.dmp	family_blackmoon
behavioral2/memory/2656-141-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral2/memory/2656-142-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral2/memory/2656-143-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral2/memory/2656-144-0x0000000002BE0000-0x0000000002BF7000-memory.dmp	family_blackmoon
behavioral2/memory/2656-151-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral2/memory/2656-152-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon
behavioral2/memory/2656-161-0x0000000004600000-0x0000000004654000-memory.dmp	family_blackmoon
behavioral2/memory/2656-165-0x00000000047A0000-0x0000000004828000-memory.dmp	family_blackmoon
behavioral2/memory/2656-178-0x0000000010000000-0x0000000010062000-memory.dmp	family_blackmoon

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2656-139-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral2/memory/2656-141-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral2/memory/2656-142-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral2/memory/2656-143-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral2/memory/2656-147-0x0000000002F90000-0x0000000003019000-memory.dmp	upx
behavioral2/memory/2656-148-0x0000000002F90000-0x0000000003019000-memory.dmp	upx
behavioral2/memory/2656-150-0x0000000002F90000-0x0000000003019000-memory.dmp	upx
behavioral2/memory/2656-151-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral2/memory/2656-152-0x0000000010000000-0x0000000010062000-memory.dmp	upx
behavioral2/memory/2656-169-0x0000000004830000-0x00000000048B9000-memory.dmp	upx
behavioral2/memory/2656-168-0x0000000004830000-0x00000000048B9000-memory.dmp	upx
behavioral2/memory/2656-171-0x0000000004830000-0x00000000048B9000-memory.dmp	upx
behavioral2/memory/2656-178-0x0000000010000000-0x0000000010062000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	5ac529b84bed8f7e3428245e47a78667.exe
Token: SeDebugPrivilege	2656	svchost.exe
Token: SeDebugPrivilege	2656	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2656	svchost.exe
2656	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1652	1260	5ac529b84bed8f7e3428245e47a78667.exe	84
PID 1260 wrote to memory of 1652	1260	5ac529b84bed8f7e3428245e47a78667.exe	84
PID 1260 wrote to memory of 1652	1260	5ac529b84bed8f7e3428245e47a78667.exe	84
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85
PID 1260 wrote to memory of 2656	1260	5ac529b84bed8f7e3428245e47a78667.exe	85

C:\Users\Admin\AppData\Local\Temp\5ac529b84bed8f7e3428245e47a78667.exe
"C:\Users\Admin\AppData\Local\Temp\5ac529b84bed8f7e3428245e47a78667.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- \??\c:\windows\SysWOW64\svchost.exe
  c:\windows\syswow64\svchost.exe
  2⤵
  PID:1652
- \??\c:\windows\SysWOW64\svchost.exe
  c:\windows\syswow64\svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2656-133-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2656-134-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2656-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2656-135-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2656-138-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2656-139-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2656-141-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2656-142-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2656-143-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2656-144-0x0000000002BE0000-0x0000000002BF7000-memory.dmp

Filesize
92KB

Download
memory/2656-147-0x0000000002F90000-0x0000000003019000-memory.dmp

Filesize
548KB

Download
memory/2656-148-0x0000000002F90000-0x0000000003019000-memory.dmp

Filesize
548KB

Download
memory/2656-150-0x0000000002F90000-0x0000000003019000-memory.dmp

Filesize
548KB

Download
memory/2656-151-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2656-152-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2656-161-0x0000000004600000-0x0000000004654000-memory.dmp

Filesize
336KB

Download
memory/2656-165-0x00000000047A0000-0x0000000004828000-memory.dmp

Filesize
544KB

Download
memory/2656-169-0x0000000004830000-0x00000000048B9000-memory.dmp

Filesize
548KB

Download
memory/2656-168-0x0000000004830000-0x00000000048B9000-memory.dmp

Filesize
548KB

Download
memory/2656-171-0x0000000004830000-0x00000000048B9000-memory.dmp

Filesize
548KB

Download
memory/2656-178-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing